FRA Opinions Biometrics

Providing information in an understandable and transparent manner

Article 5 (1) of the General Data Protection Regulation (GDPR) requires that third-country nationals are informed about the relevant aspects of their personal data being processed in a transparent, intelligible and easily understandable manner. FRA research found that authorities that collect personal data of asylum and visa applicants, as well as of migrants in an irregular situation, and then store these data in IT systems, find it challenging to provide information in an understandable manner. Rights holders are often not fully informed of all aspects of the data processing and have difficulties understanding the information they receive. This is particularly true when the information system at issue serves a number of purposes and processes. With interoperability, ensuring the right to information may become increasingly challenging.

Transparency about the purpose of fingerprinting encourages the persons concerned to cooperate with the authorities, thus preventing situations from escalating. Authorities often find it challenging to provide information covering all aspects of the processing of data of asylum applicants and apprehended migrants, as required by Article 29 of the Eurodac Regulation (Article 30 of the recast proposal), including the use of the data for the Dublin procedure and for investigations of serious crimes and terrorism. Challenges increase when fingerprints are collected in stressful situations. If authorities provide no or only limited information, asylum applicants and migrants in an irregular situation perceive EU Member States to be acting in a non-transparent manner, according to FRA research. This affects their willingness to cooperate with the authorities.

The European Commission carries out evaluations in Member States to assess the implementation of the Schengen acquis. Such ‘Schengen evaluations’ also cover large-scale IT systems. They are an important tool to ensure compliance with the duty to inform, which is included in the legal instruments of all the IT systems, although restrictions apply to certain data recorded in SIS II.

The right to information must cover all purposes of the data processing in IT systems in the field of asylum and migration management, and must include information on how to exercise the right of access, correction and deletion. EU Member States should strengthen their efforts to provide information in an age- and gender-sensitive way, as well as in a culturally appropriate manner. Particularly in the context of processing biometric data for Eurodac, consideration could be given to complementing standard leaflets with short illustrative videos that inform people in an accessible way.

EU Member States should foster a sense of transparency by providing information in full, covering all aspects of data processing in IT systems in the field of asylum and migration management. This may also positively influence people’s willingness to cooperate. EU Member States should ensure systematic registration in Eurodac through effective information and counselling. This should be carried out individually as well as through outreach actions targeting asylum applicants and apprehended migrants – such as focus group discussions, information sessions and similar initiatives. Where the European Asylum Support Office (EASO) and Frontex support Member States in registering asylum seekers and migrants in an irregular situation in Eurodac, they should similarly provide effective information and counselling. If IT systems become interoperable, the European Commission – with the support of relevant Justice and Home Affairs ( JHA) agencies – should develop tools and guidance to support EU Member States in ensuring full compliance with the right to information.

When carrying out Schengen evaluations, the European Commission should systematically assess how Member States implement the right to information and whether it is effective. The assessment should look at whether the information given covers all purposes of the data processing, and how the person concerned can exercise his or her right of access, correction and deletion. In this context, visibility should be given in Schengen evaluation reports to good practices found in Member States.

Respecting human dignity when taking fingerprints

Biometric data must be collected in a manner that respects human dignity. Human dignity is inviolable and laid down in Article 1 of the Charter. It is the foundation for all fundamental rights in the Charter.

Individuals may be physically unable – due to disabilities for example – or unwilling to provide fingerprints. Although rare, asylum seekers and migrants in an irregular situation may refuse to provide fingerprints for Eurodac – a phenomenon which does not seem to occur in the context of VIS. People are reluctant to give their fingerprints for different reasons. Many do this to avoid being transferred, under the Dublin procedure, to an EU Member State in which they do not want to be. FRA’s field-research also revealed, however, that some refuse out of fear that their biometrics will be shared with their country of origin. The willingness to provide fingerprints would increase if asylum seekers and migrants in an irregular situation felt treated fairly and had trust in the procedures, and if family re-unification under Dublin were to work smoothly.

According to FRA findings, disproportionate force has been used when fingerprinting asylum seekers and migrants in an irregular situation. Given the vulnerability of the people concerned and the obligation to use the least invasive means, it is difficult to imagine that using physical or psychological force solely to obtain fingerprints for Eurodac would be justified. To enforce the duty to provide fingerprints, EU Member States have in some cases also resorted to detention.

When the authorities have difficulties in taking fingerprints that meet set quality standards, they sometimes suspect the person of having injured his or her fingertips on purpose to avoid fingerprinting, as FRA research shows.

Fingerprinting often takes place in stressful situations – at night or following a large numbers of arrivals for example. In such situations, fingerprinting poses high demands on staff, increasing the risk of inappropriate police behaviour due to exhaustion or stress. This, in turn, may undermine the dignity of the person being fingerprinted. Fingerprinting persons in a vulnerable situation, including those with disabilities or those who have experienced gender-based violence, requires particular attention. According to FRA findings, however, training tends to focus on the technical aspects of fingerprinting, and less on the treatment of the persons being fingerprinted.

Given that it entails a high risk of violating fundamental rights, EU Member States should avoid the use of physical or psychological force to address refusals to give fingerprints as observed for Eurodac. Where EASO and Frontex support Member States in registering asylum seekers and migrants in an irregular situation in Eurodac, they should similarly refrain from resorting to physical or psychological force to address such refusals.
Putting people under pressure to give their fingerprints must under no circumstances risk traumatisation or re-victimisation. Therefore, EU Member States should not coerce suspected victims of torture, victims of sexual or genderbased violence, victims of other serious crimes, or traumatised people, into giving fingerprints; nor should other people who are usually considered to be vulnerable be coerced into providing fingerprints. The FRA 2015 checklist to act in compliance with fundamental rights when obtaining fingerprints for Eurodac provides concrete guidance.

Depriving individuals of liberty to pressure them into giving their fingerprints must remain an exceptional measure, respecting all requirements of EU law and the European Convention on Human Rights (ECHR). Before EU Member States resort to deprivation of liberty to obtain fingerprints, asylum applicants and migrants in an irregular situation must be provided with an effective opportunity to comply with the fingerprinting requirements.

EU Member States should continue to train and issue guidance on the need to ensure full respect of the right to human dignity. Such training and guidance should be provided to their own staff as well as to staff of their service providers in charge of taking fingerprints. These measures should also focus on the treatment of vulnerable people, such as persons with disabilities and traumatised persons.
To reduce the risk of tensions, EU Member States should have sufficient well-trained staff for fingerprinting and avoid giving this task to police officers or border guards who apprehend persons entering the country in an irregular manner. Where relevant, Member States could consider setting up mobile fingerprinting units as this would reduce the risk of inappropriate police behaviour caused by exhaustion, stress and other factors.

Large-scale IT systems affect the rights of children in different ways. Article 24 of the Charter emphasises that the best interests of the child must be a primary consideration in all actions public authorities and private actors take concerning children. This also applies to fingerprinting. Field research shows limited efforts to inform children in a child-friendly and child-sensitive manner, in accordance with their age and maturity, although police and border guards often take extra time during the fingerprinting itself to adapt to the needs of the child. FRA research also points to allegations of incidents involving the use of force to fingerprint children. The risk of re-traumatisation for children is particularly apparent in such instances.

As a child grows, the accuracy of a biometric match diminishes. Taking young children’s fingerprints affects the quality and reliability of future matches to those fingerprints. The risk of a wrong match increases when the fingerprints or facial images are compared more than five years after they were taken.

EU Member States should never use force against children or deprive them of liberty to obtain their fingerprints. Officers should build up a relationship of trust with the child. Through internal guidance, instruction and training, EU Member States should ensure that children are fingerprinted in a childfriendly, as well as child- and gender-sensitive manner; that they are assisted by their parents (or guardians if they are unaccompanied); and that they are provided with child-friendly and childsensitive information on the purpose and modalities of fingerprinting. Where EASO and Frontex support Member States in fingerprinting children, they should similarly, through such measures, build up a relationship of trust with the child.
To compensate for the decreasing reliability of fingerprints over time, EU Member States should ensure that matches based on biometric data collected from a child more than five years earlier are always subject to further careful verification by dactyloscopic experts, as well as checks against other available data.

Optimising the use of IT systems to trace missing children

Many unaccompanied or separated children who enter the EU subsequently go missing. Some of those missing may be subject to abuse and exploitation, including trafficking in human beings. IT systems could better support their protection, according to border guards interviewed. Interviewed experts pointed out, however, that the focus remains on perpetrators and that a more victim-centred approach would be needed.

Children avoid being registered or go missing for multiple reasons. These include lack of trust in family reunification under Dublin; fear of being prevented from reaching their intended destinations; and lengthy processing times for their asylum applications. Data processed on children could be used more effectively for child protection purposes. Interoperability may bring new opportunities to trace missing and abducted children, provided EU Member States more systematically create an SIS II alert when an unaccompanied child goes missing and referrals improve between police and child protection authorities.

To support the detection of missing children or of child victims of trafficking in human beings, EU Member States need to record missing children systematically in SIS II. This requires functioning reporting mechanisms between reception centres and the police. To ensure that the data stored are used for child protection purposes – and not only for law enforcement – EU Member States need to put in place effective cooperation mechanisms between police and child protection authorities as well as guardians. This should be complemented by tailored training for practitioners who may encounter children at risk.

In technical terms, the state of the art of technology determines the options that the EU and its Member States have when creating new systems or improving existing ones. Industry and the scientific research community can play an important role in developing technical solutions that promote respect for fundamental rights, including the protection of personal data. They should continue to embed data protection by design and by default in the technical solutions they devise for IT systems.

Whenever they fund research and development activities, the EU and its Member States should require contractors to involve experts on personal data protection and other fundamental rights. Scientific researchers and industry should pay attention to the effect of phenotypical characteristics, as well as age and gender, on the composition of test groups, to eliminate any risks of discriminatory outcomes of test results.

Strong safeguards to prevent unlawful access to data

The principle of purpose limitation – as mirrored in Article 8 (2) of the Charter, as well as in Article 5 (1) (b) of the GDPR and Article 4 (1) (b) of the Police Directive – requires that personal data are processed only for specified purposes, which must be explicitly defined. By optimising the use of IT systems for combating irregular migration, as well as serious crimes and terrorism, there is a risk of function creep – meaning that the data may be used for purposes that were not initially envisaged. This risk is particularly high in the case of interoperability between IT systems.

Article 28 and Article 32 of the GDPR require EU institutions and EU Member States to take necessary measures to avoid that data are disclosed to, or accessed by, unauthorised persons or organs. Private actors, such as carriers, may in some instances access limited parts of the EES (Articles 13) and ETIAS (Article 39). If IT systems are made interoperable, personal data stored in one system will be used across all systems to ensure correct identification of a person. Ensuring purpose limitation in such scenarios is particularly challenging.

IT systems that include data on asylum applicants may be particularly attractive for hacking by oppressive regimes or persecuting agents. Strong data security safeguards must limit such risks.

EU institutions and EU Member States need to put in place all reasonable safeguards to ensure that data stored in IT systems in the field of asylum and migration are not unlawfully accessed. As private actors will use some IT systems, effective firewalls must prevent them from seeing data they are not allowed to see.
EU institutions and EU Member States should monitor access to IT systems through log files. The log files should specify who accessed a particular system and for what purpose. National data protection authorities and the European Data Protection Supervisor (EDPS) should have access to log files on request. Authorities should only print and store hard copies of the data where doing so is duly justified, and adhere strictly to physical access control and retention rules.
The EU legislator and EU Member States must ensure that legislation on interoperable IT systems does not result in circumventing access rules included in the legal instruments establishing the individual IT systems.

Ensuring respect for the right to seek asylum

FRA research findings reveal that some people with injured fingertips are suspected of deception although they are not intentionally avoiding to provide fingerprints. A suspicion that a person wishes to deceive the authorities affects their right to asylum, protected under Article 18 of the Charter. The physical inability to provide fingerprints due to the texture of one’s fingertips or a disability must not result in unequal treatment or discrimination prohibited by Articles 20 (equality before the law) and 21 (non-discrimination) of the Charter.

Many people seek to hide their identity when fleeing their country of origin to protect themselves. Others may be physically unable to obtain the documents necessary for legal entry, such as a passport and visa, when escaping conflict or persecution. Interpol runs two databases:

one for stolen and lost travel documents, the Stolen and Lost Travel Documents (SLTD) database;

one for individuals who are subject of an Interpol alert, the Interpol Travel Documents Associated with Notices (TDAWN) database.

Oppressive regimes may include information about political opponents in these Interpol databases to prevent them from leaving the country or to track their movements. These databases are to be included among the interoperable IT systems the EU is setting up.

Persons assessed to be in need of international protection but subject to an entry ban can still be issued a visa with limited territorial validity, according to Article 25 of the Visa Code. Such a visa allows them to cross the EU’s external border and provides them with the possibility to seek safety.

EU Member States should provide guidance to eligibility officers to ensure that the overall trustworthiness and credibility of asylum applicants is not undermined by an assumption that the inability to give fingerprints, or to only give low quality fingerprints, derives from an asylum applicant’s unwillingness to provide fingerprints and a wish to hide their identity.

EU Member State authorities should use information included in the Interpol databases on travel documents with caution. Records entered by third countries in the SLTD and TDAWN databases should always be carefully manually reviewed to avoid having such entries have an undue impact on the right to asylum.

Prohibiting the transfer of data to third countries

Article 18 of the Charter protects the right to asylum. Effective access to international protection also forms the basis of protection from refoulement as enshrined in Article 19 of the Charter and Article 78 of the Treaty on the Functioning of the EU.

Sharing personal data with third countries can lead to particular risks for persons in need of international protection. They or their families may be subject to retaliation measures, ranging from criminal sanctions upon return to persecution of family members. The legal instruments for the IT systems generally prohibit sharing information with third countries, which reveals that a person is, or has been, an applicant for international protection in the EU. In practice, such safeguards are not always systematically followed, FRA research shows.

Under certain conditions, and typically for return purposes, personal data stored in IT systems may be shared with third countries. To prevent harm, in the case of asylum applicants, information is normally only shared with the third country at the end of the asylum procedure. However, in specific circumstances this may also be done before the procedure is completed – for example, following rejection of the application by the administration but where an appeal to the court is still pending. Such an approach can put people at risk. Safeguards are required to avoid that such transfers endanger the safety of asylum applicants or of their family members.

At the same time, IT systems can also be used to confirm an asylum applicant’s claimed identity, thus reducing the risk of a removal in violation of the principle of non-refoulement.

EU Member States must take all necessary measures to prevent information that a third-country national has lodged a claim for international protection from being shared with third countries.
In case of rejected asylum applicants, EU Member States should in principle only share personal data with third-country authorities for the purpose of return when the claim has been rejected in the final instance and is no longer subject to review.

Evaluating carefully how access by law enforecement affects fundamental rights

All EU IT systems except for SIS II and ECRIS-TCN contain data on persons not suspected of having committed any crimes. Nevertheless, law enforcement authorities are allowed to access data stored in Eurodac, VIS, EES and ETIAS for the purposes of fighting serious crime and terrorism, provided they adhere to the safeguards specified in the legal instruments. One of these safeguards is the ‘cascade system’, which obliges EU Member States to first consult national databases that are directly linked to criminal investigations, and only then consult EU-level IT systems. When consulting EU IT systems, they must consult VIS before requesting access to Eurodac, because information on asylum applicants is particularly sensitive. This is to ensure that data sets on asylum applicants – a group particularly vulnerable to fundamental rights violations – are only consulted as a last resort.

Children’s right to such protection and care which is necessary for their well-being, set out in Article 24 of the Charter, requires measures to prevent future stigmatisation of children for acts they have committed in the past. Article 40 of the Convention on the Rights of the Child requires giving special attention to the treatment of children alleged to have, or being accused of or recognised as having infringed the penal law. According to the Charter, the child’s best interests must be a primary consideration (Article 24). Information on criminal records may have a disproportionate effect on the development of the child. In case of immigrationrelated offences, the criminal record could be the consequence of decisions taken by the child’s parents.

The EU and its Member States should carefully assess the fundamental rights impact of access by law enforcement to data stored in IT systems in the field of asylum and migration. These data systems typically concern people who are not suspected of having committed crimes. The EU legislator should ensure that any solution for allowing access to EU IT systems by law enforcement for the purposes of fighting serious crime and terrorism continues to require the police to first consult databases more directly linked to criminal investigations. This is best ensured through retaining the ‘cascade system’. Any alternatives to the cascade system would need to achieve the same objective. This means that personal data not collected for purposes of criminal investigations should only be accessed by law enforcement, if the information necessary to fight serious crime and terrorism is not available in databases more directly linked to criminal investigations. This concerns especially persons who are particularly vulnerable, such as persons in need of protection.

The EU and its Member States should consider either excluding from access by law enforcement information stored in ECRIS-TCN revealing that a child has a criminal record, or limiting the availability of this information to very serious crimes.

Applying apprehension policies in line with fundamental rights

In addition to serving their specific purposes, most IT systems also contribute to the control of irregular immigration. They may be consulted to find and apprehend migrants in an irregular situation. For example, the EES will produce a list of persons whose right to stay in the Schengen area has expired. This list of so-called ‘overstayers’ can be matched with other IT systems, which will be an easy exercise once systems are made interoperable.

FRA has previously highlighted that certain apprehension practices disproportionately affect fundamental rights of migrants in an irregular situation. Accordingly, FRA discouraged apprehensions near providers of essential services – such as schools or healthcare centres. Interoperability of information systems will make it more difficult for migrants in an irregular situation to report a crime to the police, either as victims or as witnesses, as the police will automatically see the person’s irregular residence status and, in most cases, be obliged under national law to initiate return procedures. With an increased risk of apprehension, migrants in an irregular situation will be even more reluctant to approach the police, contributing to impunity for perpetrators.

EU Member States are encouraged to continue to apply FRA’s 2014 guidelines on the rights-compliant apprehension of migrants in an irregular situation, paying particular attention to new risks for migrants’ fundamental rights that interoperability may create.

Improving data quality

Mistakes in the IT systems used in the field of asylum and migration management can have serious consequences for individuals. For example, the police may arrest a person or border guards may not let a person cross the border. In the case of asylum applicants, they may be suspected of having intentionally tried to provide a false identity, affecting the perceived trustworthiness of their whole asylum claim.

FRA research shows that EU IT systems contain inaccurate alphanumeric data, such as names or dates of birth, due to various reasons. According to the GDPR and Police Directive, EU Member States have the duty to verify the quality of personal data before they are made available to data users. Significant efforts are underway, including proposals to strengthen the role of eu-LISA in supporting Member States in improving data quality. Nevertheless, increased attention is needed to avoid having low quality data in the systems negatively affecting individuals’ fundamental rights.

Biometric data connect a person to alphanumerical data stored in an IT system. The quality of the biometric identifier is, therefore, of paramount importance. Although rare, FRA field research did reveal individual incidents of Dublin transfers being carried out based on false biometric matches. Presently, data quality standards for collecting fingerprints in Eurodac, which mainly holds personal data on asylum applicants, are higher than standards for collecting biometric data in VIS, for which a “zero-failure to enrol initiative” is applied, following requests by Member States. This means that for VIS the individual Member States are responsible for controlling the quality, whereas for Eurodac this is centrally carried out by eu-LISA. However, fingerprints collected for Eurodac may be checked against VIS to see if an applicant requested a visa in the past. If IT systems become interoperable, a person’s biometric identifier will connect the person to information contained in all IT systems, regardless of the quality standard according to which it was collected. Interoperability is also foreseen to include measures for improved reporting and collection of statistics, which would enhance data quality.

A person’s physical development over time may reduce the reliability of matches based on biometric data, particularly after longer periods. This may be particularly relevant to cases involving children, especially if data are retained for more than five years.

National authorities and experts attach a high degree of credibility to biometric data, and processing such data is technically complex. This makes it difficult for persons concerned to rebut errors in IT systems, and even more difficult to prove that a biometric match was incorrectly generated. FRA research shows that mistakes can occur when, for instance, a person’s fingerprints are mistakenly linked to another person’s alphanumeric data.

The Council of the EU should continue to put data quality issues on the agenda of relevant working parties to promote the implementation of best practices identified by eu-LISA and other actors. This should include the following:

Relating to alphanumeric data, the development of EU-wide guidelines on cultural norms, addressing issues such as transliterations, naming cultures, dates of birth according to different calendars and different ways of reporting age. Such guidelines would contribute to better data quality.

Relating to biometric data, reviewing quality standards for fingerprints stored in VIS, taking into account that asylum seekers’ fingerprints may also be matched against VIS to determine the Member State responsible for processing their claims under the Dublin system.

A collection of good administrative practices to limit mistakes, such as the use of electronic readers, search criteria, and the simplification of procedures.

A collection of technical safeguards that reduce the risk of mistakes, such as automatic verification against other databases when data are inserted, and possibilities to use phonetic searches.

Improving the collection of statistics on inaccurate and low quality data.

The European Commission should include data quality issues in the Schengen evaluations to support the implementation of the recommendations and best practices eu-LISA develops.

EU Member States also need to pay particular attention to the quality of data stored in national databases, if these data are transferred to EU IT systems. They should, for instance, develop standardised procedures for verification of data stored in national IT systems.

eu-LISA has an important role to play in monitoring whether EU Member States adhere to quality standards for biometrics. When supporting the development of quality control mechanisms for capturing as well as matching biometrics, eu-LISA should consider the following aspects, which have an impact on fundamental rights:

age – specifically, of children as well as older persons; guidelines on capturing and matching biometrics, notably facial images, of individuals going through rapid developmental changes;

disabilities – such as the possible impact of a missing eye on algorithms for facial images; difficulties in accessing fingerprinting equipment for persons with disabilities;

phenotypical characteristics in the context of facial recognition – reflection of light affects the quality of facial images of very fair-skinned persons, and not enough light affects the quality for very dark-skinned persons.

To reduce the risk of mistakes, EU Member States need to make efforts to involve the persons whose personal and biometric data are collected and used in verification procedures. They should be open to plausible arguments presented by the persons concerned that may indicate a false biometric match, or an administrative mistake – for instance, that the biometric identifier has incorrectly been linked to another person’s alphanumeric data.

Effectively exercising the right of access, correction and deletion of personal data

Article 8 (2) of the Charter, as well as EU data protection law, provide for the right of access, correction and deletion of one’s own data that are stored. The specific legal instruments regulating the IT systems also mirror this right.

In spite of frequent data quality issues, complaints about incorrect or unlawful data use are rare. There is a lack of awareness and understanding of how to exercise the right of access, correction or deletion of inaccurate data that are stored. The cumbersome nature of the processes, administrative hurdles, language barriers and lack of specialised lawyers also explain why few persons try to exercise these rights.

According to FRA findings, complicated procedures and administrative and language barriers may in practice prevent the persons concerned from exercising their right of access, correction and deletion. Such difficulties may be exacerbated if IT systems are made interoperable. The establishment of a ‘one-stop-shop procedure’ for receiving requests to access, correct and delete data could simplify procedures. According to FRA research, very few lawyers are specialised in seeking to enforce the right of access, correction and deletion of data stored in IT systems, making it even more difficult for the persons concerned to exercise their rights.

EU Member States should raise awareness about the right of access to one’s own data stored in IT systems in the field of asylum and migration. They should systematically make available information on how to exercise the right of access, correction and deletion of data stored in these EU IT systems on the websites of concerned ministries acting as controllers of the data, national data protection authorities, as well as service providers for visa applications.

EU Member States should put in place simplified procedures to allow people to exercise their right of access, correction and deletion, removing administrative, language and other practical barriers. Persons exercising these rights should always receive a reply indicating the action taken. In the implementation of national programmes under the Asylum, Migration and Integration Funds and Internal Security Funds, EU Member States should consider giving priority to projects for the training of lawyers on how to exercise the right of access, correction and deletion of data stored in EU IT systems.